Skip site navigation (1) Skip section navigation (2)

Re: Client-side password encryption

From: Andreas Pflug <pgadmin(at)pse-consulting(dot)de>
To: Dave Page <dpage(at)vale-housing(dot)co(dot)uk>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, pgadmin-hackers(at)postgresql(dot)org
Subject: Re: Client-side password encryption
Date: 2005-12-18 16:07:04
Message-ID: 43A58928.3020408@pse-consulting.de (view raw or flat)
Thread:
Lists: pgadmin-hackerspgsql-hackers
Dave Page wrote:
> 
> 
> -----Original Message----- From: pgadmin-hackers-owner(at)postgresql(dot)org
> on behalf of Peter Eisentraut Sent: Sun 12/18/2005 2:25 AM To:
> pgadmin-hackers(at)postgresql(dot)org Subject: [pgadmin-hackers] Client-side
> password encryption
> 
> 
>> Commands like CREATE USER foo PASSWORD 'bar' transmit the password
>> in cleartext and possibly save the password in various client or
>> server log files.  I have just fixed this for psql and createuser
>> to encrypt the password on the client side.  A quick check of the
>> pgadmin3 source code shows that you are also affected by this
>> issue.  I ask you to check where you paste cleartext passwords into
>> SQL commands and change those to encrypt the password before
>> sending or storing it anywhere. The required function
>> pg_md5_encrypt() is contained in libpq.
> 
> 
> So did you just rip it from there into psql? I don't see it in the
> list of libpq exports so if thats not the case, on Windows at least
> we'll need to change the api, and possibly the dll name as well to
> avoid any compatibility issues.

And a prototype in libpq-fe.h wouldn't hurt either... And a macro, to 
enable distinguishing md5-enabled libpq versions from older versions.


Regards,
Andreas

In response to

Responses

pgsql-hackers by date

Next:From: frank churchDate: 2005-12-18 21:12:05
Subject: Does VACUUM reorder tables on clustered indices
Previous:From: Dave PageDate: 2005-12-18 15:53:53
Subject: Re: Client-side password encryption

pgadmin-hackers by date

Next:From: Peter EisentrautDate: 2005-12-19 01:32:39
Subject: Re: [pgadmin-hackers] Client-side password encryption
Previous:From: Dave PageDate: 2005-12-18 15:53:53
Subject: Re: Client-side password encryption

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group